We’re running TC 13.1 with Access Manager and have a critical issue with external users accessing cost reports. Our supplier partners have guest accounts with read-only access to specific project data, but when they try to generate cost reports through the standard Cost Management module interface, they get “Access Denied” errors.
Internal users with similar read permissions can generate these reports without issues. I’ve checked the external user group ACLs and they seem to have proper read access to the cost objects. The role assignments look correct on paper, but something’s blocking the report generation specifically for external accounts.
This is impacting our supplier collaboration workflow as partners need visibility into cost breakdowns for their components. Has anyone dealt with cost report object sharing differences between internal and external user groups? What additional ACL rules or role configurations are needed beyond standard read access?
We had similar friction with external auditors. The problem was in the Access Manager policy definitions. Even with correct ACLs, the policy rules were evaluating external user groups differently during the report workflow. Check your policy conditions - there might be explicit blocks on report operations for guest accounts that override the object-level ACLs. Look at the EffectiveAccess diagnostic tool output for one of these blocked users.
Also verify the organizational context rules. External users often have restricted context access that blocks cross-context queries. Cost reports typically aggregate data from multiple products or projects, which requires traversal privileges across organizational boundaries. Your ACL might be scoped too narrowly to the specific project context without allowing the broader view needed for report generation.
I’ve seen this exact scenario. The issue isn’t just about read access to cost objects - it’s about the report generation process itself. When Cost Management generates reports, it creates temporary objects and aggregates data across multiple contexts. External users need specific privileges on the CostReport and CostAnalysis object types, not just the underlying cost data. Check if your guest role has CREATE_INSTANCE privilege on wt.cost.CostReport.